CVE-2026-49948
HighCVSS 8.1Exploitation Probability (EPSS)
Low risk17th percentile - higher than 17% of all known CVEs
Summary
Mem0 versions up to 0.2.8 contain a missing authorization vulnerability in the self-hosted server component where the POST /configure endpoint modifies global LLM provider and embedder configuration but does not validate the caller's role. Any authenticated user with a distributed API key can redirect traffic to an attacker-controlled server.
Risk Assessment
This vulnerability allows for the persistent introduction of malicious configuration into the PostgreSQL database, potentially affecting all users and API keys on the instance, posing a serious data security threat.
Recommendation
It is recommended to upgrade to Mem0 versions after 0.2.8 to eliminate this vulnerability and implement additional role verification mechanisms when modifying configurations.
Original NVD description (English source)
Mem0 versions through 0.2.8, fixed in commit ae7f406, contain a missing authorization vulnerability in the self-hosted server component where the POST /configure endpoint modifies global LLM provider and embedder configuration but only verifies authentication via JWT or X-API-Key without validating the caller's role. Any authenticated user holding a distributed API key can redirect all LLM and embedder traffic to an attacker-controlled server, with the malicious configuration persisted to PostgreSQL and surviving server restarts to affect all users and API keys on the instance.

